Log issuer certificate expiry

When a new issuer certificate is loaded, log its NotAfter time in unix epoch format, along with the current process wall clock time. This addresses #11215 Signed-off-by: Nathan J. Mehl <[email protected]>
linkerd · Jan 30, 2025 · f672b03 · f672b03
1 parent b707b9e
commit f672b03
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pkg/identity/service.go b/pkg/identity/service.go
@@ -132,6 +132,10 @@ func (svc *Service) loadCredentials() (tls.Issuer, error) {
 	}
 
 	log.Debugf("Loaded issuer cert: %s", creds.EncodeCertificatePEM())
+	log.WithFields(log.Fields{
+		"invalid_after":      creds.Certificate.NotAfter.Unix(),
+		"process_clock_time": time.Now().Unix(),
+	}).Info("Issuer cert loaded")
 	return tls.NewCA(*creds, *svc.validity), nil
 }